Detection of a rerouting of a communication channel of a telecommunication device connected to an NFC circuit

ABSTRACT

The invention relates to a method for detecting an attempt to reroute a communication channel between a port of a security module and a port of a near-field communication router, which are in a telecommunication device, wherein, upon receiving a message in a near-field communication format, the security module verifies from which port of the communication router said message originates.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a U.S. National Stage patent application based onInternational patent application number PCT/EP2011/052902, filed on Feb.28, 2011, which application claims the priority benefit of French patentapplication number 10/51694, filed on Mar. 9, 2010, which applicationsare hereby incorporated by reference to the maximum extent allowable bylaw.

BACKGROUND

Technical Field

The present disclosure generally relates to transactions performed bymeans of mobile telecommunication devices of cell phone type. Thepresent disclosure more specifically applies to such devices furtherequipped with a near field communication circuit (NFC).

Discussion of the Related Art

Cell phones are more and more often equipped with a near fieldcommunication interface which enables them to combine electromagnetictransponder functions with mobile telephony functions. In particular,this adds functions of emulation of an electromagnetic transponder, ofcontactless or contactless card reader type to the mobiletelecommunication device, for example a personal digital assistant, acell phone, a smartphone, etc. This considerably enhances the featuresof the mobile device, which can then be used, for example, as anelectronic purse, as an access or transport ticket validation device,etc.

To emulate the operation of a contactless chip card, the mobiletelecommunication device is equipped with a contactless front-endintegrated circuit (CLF), also called an NFC router. This router isequipped with a radio frequency (RF) transceiver front-head associatedwith a low-range antenna to communicate as an electromagnetictransponder. The router uses the capacities of the processor(s) of themobile device for data processing and storage operations. Forapplications of access control, electronic purse, payment, etc., asecure element enabling to authenticate the user is used. This secureelement is either integrated with the mobile telecommunication device(dedicated integrated circuit, circuit soldered to the printed circuitboard) or contained in a microcircuit supported by a subscriberidentification module (SIM), or any other removable card, for example atthe standard format of a memory card.

An NFC router may also be present in a mobile device of USB key type, ina bank teller terminal, in an adhesive device (sticker), etc.

An emulation of a contactless card in a mobile telecommunication deviceis capable of generating weak points in terms of transaction security.

It would be desirable to be able to detect such weak points.

It would further be desirable to avoid such weak points to securetransactions.

The ETSI TS 102 622 V.7.4.0 Standard of April 2009 establishes variouscharacteristics of a communication interface in a security module of atelecommunication device provided with a near field communication.

SUMMARY

According to a first aspect, an embodiment detects a piracy attempt on atelecommunication device associated with a near field communicationmodule.

According to another aspect, an embodiment overcomes all or part of thedisadvantages of mobile telecommunication devices associated with a nearfield transmission module.

According to still another aspect, an embodiment improves the securityagainst a piracy attempt on a security module of subscriberidentification module type, contained in a telecommunication deviceassociated with a near field transmission module.

An embodiment provides a method for detecting an attempt to divert acommunication pipe between a gate of a security module and a gate of anear field communication router present in a telecommunication device,wherein, on reception of a message in a near field communication format,the security module verifies from which gate of the communication routerthe message originates.

According to an embodiment, an activity of peripherals connected to therouter is monitored by a microcontroller equipping the telecommunicationdevice.

According to an embodiment, the security module verifies the existenceof a communication pipe between a gate connecting it to the router and agate connecting the router to a microcontroller of the device.

According to an embodiment, the router communicates to the securitymodule data relative to the pipe used, on reception by the securitymodule of messages in the near field communication format.

According to an embodiment, the data represent a signature taking intoaccount an identifier of the pipe and of the associated gates.

An embodiment also provides a security module intended for atelecommunication device equipped with a near field communicationrouter, comprising means capable of implementing the detection method.

An embodiment also provides a telecommunication device equipped with anear field communication router, comprising means capable ofimplementing the protection method.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing objects, features, and advantages of the embodiments willbe discussed in detail in the following non-limiting description ofspecific embodiments in connection with the accompanying drawings.

FIG. 1 schematically shows a mobile telecommunication device of the typeto which the embodiments apply as an example;

FIG. 2 is a diagram illustrating a function of a near field transmissionmodule of the device of FIG. 1;

FIG. 3 very schematically illustrates an attack capable of exploiting aweakness of the telecommunication device of FIG. 1;

FIG. 4 illustrates an embodiment of a preparatory phase of such anattack;

FIG. 5 illustrates an embodiment of a method of protection against suchan attack;

FIG. 6 illustrates another embodiment of a method of protection againstthe attack illustrated in FIG. 3; and

FIG. 7 illustrates a variation of the embodiment of FIG. 6.

DETAILED DESCRIPTION

The same elements have been designated with the same reference numeralsin the different drawings. For clarity, only those elements and stepswhich are useful to the understanding of the embodiments have been shownand will be described. In particular, the coding and communicationprotocols, be it for near-field transmissions or for telecommunicationsin GSM mode, have not been detailed, the embodiments being compatiblewith usual protocols. Further, the circuits forming the mobilecommunication device have not been detailed either, the embodimentsbeing here again compatible with usual programmable devices.

FIG. 1 very schematically shows a mobile telecommunication device (forexample, a cell phone) of the type to which the embodiments apply as anexample. The different elements of interface with the user (keyboard,display, speaker, etc.) have not been shown, since these elements arenot modified by the implementation of the embodiments which will bedescribed.

Device 1 comprises a central processing unit 12 (CPU/TH) formed of atleast one microprocessor forming the device core. This microprocessor iscurrently called terminal host. For the telecommunication operation overa network (GSM, 3G, UMTS, etc.), this microprocessor uses identificationand authentication data provided by a subscriber identification module14 (SIM), forming a security module of the device. Microprocessor 12 iscapable of using one or several internal memories, not shown, of thetelephone. Telephone 1 may also comprise a memory card reader 16 orother buses of communication with the outside to load data and/orapplications into the telephone.

The mobile devices to which the described embodiments apply combine thetelecommunication function with that of a near field contactlesstransmission system (NFC). For this purpose, device 1 comprises acircuit 18 (CLF—contactless front-end) forming a near fieldcommunication module, like an electromagnetic transponder. Module 18 isassociated with an antenna 182 distinct from an antenna 20 intended forthe mobile telephony network. Circuit 18 may be associated with asecurity module (SSE) 24 distinct from SIM card 14 and directly presenton the printed circuit board of the telephone, or supported by aremovable microcircuit card (for example, in the format of a memorycard). Module 18 is also called an NFC router.

The different elements of device 1 communicate according to variousprotocols. For example, circuits 12 and 18 communicate over a link 1218of I2C or SPI type, SIM card 14 communicates with microprocessor 12 overa link 1214 according to ISO standard 7816-3, and security module 24communicates with router 18 according to this standard over a link 2418.Router 18 communicates with the SIM card, for example, over asingle-wire bus 1418 (SWP—Single Wire Protocol). Other versions ofprotocols and links are of course possible.

The embodiments will be described in relation with a GSM telephone. Theembodiments however more generally applies to any telecommunicationdevice adapted to a mobile network (for example, Wifi, Bluetooth, WiMax,etc.) and associated with a contactless transmission module (NFCrouter), for example, a USB key, a bank terminal, a power consumptionmeter, or other), an access or transport ticket validation terminal,etc.

Similarly, the near field communication module will be called a routersince it generally integrates all the functions useful to the emulationof a contactless card within a same circuit, but the describedembodiments apply to any NFC-type module.

Router 18 comprises physical terminals of connection to links 1218,1418, and 2418 and manages logic gates for assigning these terminals tothe different functions associated with near field communications.Router 18 thus comprises a processor and volatile and non-volatilememories for storing, among others, a routing table for the differentlogic gates. Some gates are reserved for router administration functionswhile others can be freely assigned by the router.

In operation, router 18 makes available and manages different pipes ofcommunication with the other circuits 12, 14, 24, etc. of the mobiledevice to provide these circuits access to the near field communicationfunctions, that is, to gates connected to radio frequency transmissioncircuits, called RF gates.

FIG. 2 very schematically illustrates, in the form of blocks, therouting function of router 18. For simplification, FIG. 2 is astructural representation while, in practice, the assignment of thedifferent gates to the different circuits of the mobile device is asoftware operation performed by the routing table.

Each of the router terminals (TERMINALS) is assigned one or severalgates (GATES). In the example of FIG. 2, it is assumed that physicallinks 1418 and 1218 of SIM card 14 and of microcontroller 12 areconnected to terminals of router 18 and that gates are assigned to thesecircuits. Several gates may be assigned to the same circuit (which issymbolized in FIG. 2 by the connection of a same terminal to severalgates). The routing table of router 18 assigns some gates to internalfunctions (for example, configuration and administration functions), butalso creates pipes (PIPE) between some gates assigned to the SIM card orto the RF microcontroller, and gates (RF GATES) comprised in module 18.This corresponds to the creation of pipes between the circuits externalto router 18 and its RF transmission circuits for the implementation ofthe different applications requiring a near field communication. Forexample, in bank, transport, electronic purse, access applications, etc.which require a secure identification or authentication of the user, oneor several pipes are created between the router and the SIM card toexploit the secure user identification data and validate thetransaction.

The integration of NFC routers in mobile telecommunication devices andthe sharing of a same security module (SIM card) generate weak points interms of security.

Authentication tools may be provided to make sure that the links betweenthe router and the different external circuits are not pirated. However,this appears to be insufficient in view of a weak point that the presentinventors have identified and which will be described to hereafter.

Router or NFC module 18 generally is a single integrated circuit and itsexternal accesses are rather well protected against possible piracyattempts.

Up to now, the main concern has been to guarantee that a near fieldtransaction emulated by the mobile device would not enable a piratedevice intercepting the near field communication to use data provided bythe security module.

However, there remains a risk since router 18 also manages a pipe(ATPIPE symbolized in FIG. 2) of communication between SIM card 14 orany other security module, and microcontroller 12 of the mobiletelecommunication device. This pipe is normally used so that SIM card 14informs microcontroller 12 that a message reaches it over the NFC link.It is, however, also possible to divert this use to make security module14 believe that it communicates with the router for a near fieldtransaction and thus over a pipe with the RF gates of the telephone,while it is actually communicating with microcontroller 12.

FIG. 3 very schematically illustrates, in the form of blocks, thepossible use of a pipe ATPIPE between a SIM card 14 and amicrocontroller 12 of a cell phone 1.

It is assumed that, in a preparatory phase of the attack, GSM phone 1has been pirated and a pipe ATPIPE has been diverted via router 18between its SIM card 14 and its microcontroller 12. The routing table ofrouter 18 thus contains the data of the “diverted” pipe. It is alsoassumed that a pirate application (PA) has been stored in a memory 13(MEM) of phone 1 and that this application may provide instructions tomicrocontroller 12. Several embodiments of the preparatory phase will bediscussed subsequently. The user of device 1, once it has been hacked bythe loading of application PA and by the creation of pipe ATPIPE, is notcapable, as will be seen hereafter, to notice a malfunction. He uses histelephone normally.

One of the functions of application PA is to automatically trigger aresponse of phone 1 after a request originating from thetelecommunication network and transmitted by another mobile device 3owned by the attacker. The pirate device for example is another GSMphone 3 which uses its own subscriber identification module tocommunicate over the GSM network (symbolized by a relay antenna 5). Itmay also be a microcomputer associated with a GSM module.

In the example of FIG. 3, device 3 is also equipped with a contactlessrouter, for example, to initiate near field transactions with a terminal7 (for example, an NFC terminal or any other contactless communicationterminal). For example, device 3 is used to make a purchase with apayment to be validated by its NFC router.

Normally, for such a payment, the router of telephone 3 manages acommunication pipe with the subscriber identification module (or anotherdedicated security module) of this telephone to authenticate the userand validate the payment.

In the mechanism of FIG. 3, at the payment validation, telephone 3 usesthe GSM network to ask telephone 1 to validate the payment by means ofits subscriber identification module. For example, device 3 sends an SMSover network 5 which, when received by telephone 1, is processed by thepirate application. Said application simulates requests from the RFgates and transmits them over pipe ATPIPE, so that identification module14 responds and validates the transaction. This validation is divertedby microcontroller 12 and is sent back to device 3 which, in turn,transmits it to its NFC router to validate the payment for terminal 7.As a result, the payment is debited to the subscriber of telephone 1 andnot to the attacker owning device 3. Most often, a contactlessapplication requires no interaction with the terminal (7, FIG. 3) exceptfor a presentation of a contactless device. In particular, no PIN keyingis required for a near field communication to avoid lengthening thetransactions, so that device 3 may easily pirate distant device 1.

The countermeasures providing encryptions and/or signatures betweenterminal 7 requesting the authentication and the security module areineffective to counter this attack. Indeed, the data between terminal 7and module 14 need no decoding. A communication pipe has actually beenestablished between module 14 of telephone 1 and terminal 7 viatelecommunication network 5, so that module 14 behaves as if it was innear field transaction with terminal 7.

The same type of piracy may occur for passage authentication orvalidation applications, of secure access type.

Further, this attack may also be successful even without pirate device 3using its own NFC router, for example, using a contactless communicationmode, provided that the requested authentication originates from asecurity module and respects the formats and protocols used by the NFCprotocol. Further, such an attack may be used to divert any data fromdevice 1 for a pirate system (for example, data duplicating the contentof the magnetic track of a card in a bank payment application).

Further, the attack may involve the SIM card of cell phone 1 or of anyother security module (for example, module 24), provided that a pipe ismanaged by router 18 between this module and a circuit (generally,microcontroller 12) capable of managing communications over network 5.

This attack on near field transactions, using the telecommunicationnetwork, is due to the presence of a communication pipe, via the NFCrouter, between a security module and a microcontroller connected tothis router.

Implementing the attack requires a preparatory phase in which anintervention of the telephone 1 which is desired to be pirated isnecessary. This preparation requires an intervention depending on thesecurity level provided by the SIM card to the management of the NFCcommunication pipes.

In a simplified embodiment, the microcontroller is allowed to create apipe on any free gate. In this case, a pirate application loaded intothe microcontroller is capable of creating a pipe through the NFC routerto the SIM card. If, afterwards, the SIM card performs no other checkingthan to acknowledge that the format of the requests corresponds to theformat of a radio frequency frame originating from an NFC circuit, thepirate application may attack the SIM card.

According to another embodiment, security module 14 is more advanced andchecks the association between the numbers of the pipes or of its owngates and the RF gates.

In a first case, it is considered that SIM card 14 does not take intoaccount the circuit with which the gate is created (and thus, the factthat it may be a gate intended for the microcontroller). This embodimentuses the fact that the assignment of the pipe numbers (identifiers) isoften sequential. It is first started by asking the microcontroller toeliminate a pipe between the SIM card and the RF gates. Then, a pipehaving the same identifier is created between the microcontroller andthe SIM card.

FIG. 4 illustrates another embodiment of a preparatory phase of theattack aiming at diverting a pipe between router 18 (CLF) and the SIMcard (SIM1) of a user. This embodiment is more specifically intended forsystems in which the SIM card makes sure, before transmitting data tothe CLF router, that it has effectively controlled the creating of thecommunication pipe therewith.

The fact that, prior to the initialization of device 1, the SIM cardchecks whether it has already been in the presence of router 18 isexploited herein. If not, it reconfigures the pipes between its gatesand the NFC router.

In a normal operation, at the first connection of card SIM1 in telephone1, the card causes the creating, at the level of the so-called transportlayer, of at least one communication pipe, identified as SYNCID1, withthe CLF router. For this purpose, card SIM1 sends to the CLF router bothsynchronization data SYNCID1 and a number (typically, a random numberRD1). Number RD1 is stored in the CLF router and is used by card 14 tocheck that it has already caused the creation of a pipe with thisrouter. On each initialization, the card verifies the existence ofnumber RD1 in the router. To achieve this, the card requests from therouter to create a pipe between one of its gates, identified as GATEID,and one of the RF gates, identified as RFGATEID. The router then createsa pipe and assigns it an identifier PIPEID and, at the same time, storessaid identifier in the routing table and communicates it to card SIM1.Each time data are requested by the router, card SIM1 verifies thatidentifier PIPEID of the pipe is correct.

To implement the attack, the hacker should have cell phone 1 and cardSIM1 in his possession for a period of time. This is relatively easy,for example, by asking the owner of the cell phone to lend it tosupposedly make a call, or by fraudulently using a phone during amaintenance operation, for example, in a mobile telephony shop.

With card SIM1 and the telephone provided with router 1, the piratestarts by introducing card SIM1 in a pirate device (PIRATE READER), forexample, another cell phone having a microcontroller capable ofexecuting a piracy program complying with the described functions, or acomputer provided with a card reader and simulating a router. Since cardSIM1 has never met the NFC router of the pirate device or emulated bysaid device, it generates a new synchronization identifier SYNCID2. Itsends back gate identifiers RFGATEID and GATEID to create thecorresponding pipes. The pirate router then assigns, to at least onepair of gates, a pipe FPIPEID which corresponds to a gateway between therouter and an external gate of the microprocessor instead of associatinggate GATEID to an RF gate. Identifier FPIPEID and identifiers SYNCID2and RD2 are then loaded into a falsified card SIM2. Card SIM2 thencontains a routing table associating gates RFGATEID and GATEID with pipeFPIPEID.

Then, card SIM2 is introduced into telephone 1. Identifiers SYNCID2 andRD2 are then transferred to CLF router 18 to create pipe FPIPEID betweengates designated as GATEID and RFGATEID. This amounts to modifying therouting table of the router so that when the pipe between gates GATEIDand RFGATEID is called, the assigned pipe is pipe FPIPEID instead ofPIPEID.

The assignment of pipe FPIPEID may take various forms according to theway in which the pipes are assigned to the gates in the router. Forexample, a phase of observation of the gate assignment is gone throughby placing card SIM2 in the router to observe the pipe assignmentmethod, before introducing card SIM2 into the pirate reader.

The “real” card SIM1 is then placed back into telephone 1. Since the CLFrouter knows identifiers RD2 and SYNCID2, the card considers that it“knows” the router and does not recreate pipes therewith. When card SIM1requests a communication towards gate RFGATEID, the router uses theassigned pipe FPIPEID.

The GSM terminal has effectively been pirated, that is, a pipe FPIPE (orATPIPE, FIG. 2) has been created between a gate GATEID of the SIM cardand a gate of microcontroller 12, while card SIM1 believes that thispipe connects its gate GATEID to gate RFGATEID. This pipe can then bediverted for a distant access over the GSM network from another terminal(FIG. 3). The downloading of pirate application PA can be performedeither subsequently or at the same time as the pirate pipe generation.

There are various possibilities, depending on device 1. For example, therouting table may be read from. If this is not possible, it is possible,during the passing of card SIM1 in the pirate reader, to emulate anoperation of the CLF circuit, in order to obtain the full configurationstored in this card. A pirate card SIM2 or a card emulator may also beused to extract the data from the routing table in valid phone 1.

It can thus be seen that it is possible to parameterize the diverting ofa communication pipe between a security module and an NFC router toestablish a pipe between this module and the telephone microprocessor,external to the NFC router.

So that the user of telephone 1 does not notice the piracy, even when heuses his contactless mode, the pirate application should comprise thefunction of redirecting pipe FPIPE towards the RF circuits of the routerwhen a data request towards the SIM is transmitted by router 18.

FIG. 5 shows an example of a routing table of a router 18 according toan embodiment of a method for protecting a communication device againstattacks such as described hereabove.

This drawing illustrates an example of recordings of a routing table ofrouter 18. Usually, the table puts a pipe identifier PIPEID incorrespondence with two gate identifiers GATEID between which the pipeis created. It is desired to make sure that the radio frequencyinterface gates RFGATEID are not diverted.

According to this embodiment, each pipe identifier depends on the gateidentifier. For example, each identifier comprises a first set portion(in FIG. 5, from left to right and with notation B0 to B7, bits B1 toB5), which identifies the gate of the RF interface and a second portion“xx” (for example, bits B6 and B7) dynamically assigned during thegeneration. In this example, it is considered that first bit B0 is notused.

Thus, the SIM card can always check whether the pipe identification bitscomprise the identification bits of one of the gates of the RFinterface. This identifier is set for a given router.

To implement this embodiment, the security module should know the pipeidentifier creation rule, to be able to determine the identifier of thegate with which the pipe will be created.

A combination function more complex than a mere bit juxtaposition may beprovided, provided that this function is injective. A simpler functionwhere pipe identifier PIPEID corresponds to RF gate identifier RFGATEIDmay conversely be provided.

Further, all the router gates are not necessarily taken into account. Atleast the RF interface gates should, however, be protected.

In case of an attack, either the pirate device does not respect thegeneration rule and identifier FPIPEID assigned by the router is notoperative, or he knows and respects the generation function and the pipewill then not be diverted.

The identifiers may vary from one router to another (for example, byassociating a number depending on the circuit identification or seriesnumber). In this case, the gate identifiers will have to be communicatedto any SIM card introduced into the telephone.

According to another embodiment derived from the first one, theverification is performed by the microcontroller and not by the securitymodule. An advantage then is that the protection is compatible withexisting SIM cards. However, the verification program in themicrocontroller should be protected to avoid being circumvented by apirate application.

FIGS. 6 and 7 illustrate another embodiment aiming at protecting atelecommunication device equipped with an NFC router. FIG. 6 illustratesthe exchanges between the router and the SIM card so that the cardaccepts to transmit data to the router. FIG. 7 illustrates the exchangesbetween the router and the SIM card for the creation of pipes.

According to this embodiment, the PIN code of the user (FIG. 7)associated with the security module is verified (VERIFY PIN) for eachmodification of the routing table. Accordingly, the preparatory phase ofthe attack (for example, that discussed in relation with FIG. 4) is notpossible since the user is not present to key in his PIN code ongeneration of the diverted pipe identifier. In the example of FIG. 7,the pipe creation request (CREATE PIPE) is transmitted by the SIM cardto router 1 by sending identifiers GATEID and RFGATEID.

In a simplified embodiment, only this validation of a modification ofthe routing table (or an authorization to modify this table) by acapture of the PIN code is implemented.

Preferably, a signature (for example, a CRC code) at least taking intoaccount identifier RFGATEID and the identifier of the addressee,generally designated as DestHostId, is used.

As illustrated in FIG. 6, for each data request, generally designated asEVT_CARD_ACTIVATED, from the CLF router to the SIM card, said card asksthe router (GET PIPE INFO) to provide it with data about the pipe (inparticular, the related gate identifiers PIPE INFO). It then calculatesa current value of the signature to compare it (CHECK CRC) with thereference code that it contains. The card only provides the data (andthus validates the transaction) if the CRC code is valid. Accordingly,if the routing table has been modified by a pirate device, the signaturewill be different and the card will be able to notice it. As avariation, the current signature is calculated by the router andtransmitted to the SIM card for verification.

In a simplified embodiment, if the time assigned to the verificationenables it, a reading of the routing table by the SIM card and a directcomparison of a recording of this table that it contains may beprovided.

According to another variation, the security module only verifies thesignature of the routing table to authorize the provision of data. Thisvariation is, however, less secure since it does not come along with thecapture of an authentication code of the user.

The reference signature is preferably calculated and stored by the SIMcard (FIG. 7, STORE CRC) at the time when a pipe creation is requested,based on the identifiers that it transmits to the router and on the pipeidentifier that said router returns thereto. As a variation, thereference signature is calculated by the router during the modificationand is provided to the SIM card for storage. An advantage of acalculation by the SIM card is that the implementation of thecountermeasure then requires no modification of the router. It issufficient to modify the SIM card program so that it not only requeststhe PIN code before causing a pipe creation, but also makes the sendingof data dependent on a signature verification.

According to an alternative embodiment, the verification mechanism isnot implemented for each data exchange request between the SIM card andthe NFC router, but only at the initialization or booting of the mobiledevice.

It should be noted that most of the devices equipped with an NFC routershould have the ability to operate even when they are off, that is, bybeing remote-supplied by a read terminal containing them in its field.This is not a weak point in above-advocated solutions. Indeed, whendevice 1 is off, its microcontroller is also off. There thus is no riskto have a pirate communication over the GSM network to validate adistance purchase.

It is possible to detect that a mobile communication device and morespecifically its SIM card or its NFC router are vulnerable to theabove-described attack by implementing it.

According to another aspect, it is provided to modify the router and thesecurity module so that they detect a pipe diversion attack such asdescribed hereabove.

For example, the microcontroller monitors the activity of theperipherals connected to the router to detect a sending from themicrocontroller to the CLF router which would immediately precede a datarequest towards the SIM.

According to another example, on each reception of an RF message (fromthe NFC router), the SIM card verifies the routing by polling therouter. Such an embodiment requires a modification of the router to addto it a function or instruction causing the sending of data relative tothe routing (detail of the gates associated with a pipe). It may also beprovided to have the router calculate a signature (for example, a CRCcode) of each pipe/gate association (of their identifiers) to enable theSIM card to verify them.

The detection of an attack attempt may be followed by any adaptedcountermeasure. For example, a sound and/or visual alert is transmittedto the user. According to another example, the detection of an attackcauses a reset of the telecommunication device or of the router.According to still another example, the provision of data by the SIMcard is stopped.

It is further possible to verify that one of the embodiments of thecountermeasure has been implemented by attempting one of the attacks,preferably the most elaborate attack (FIG. 4) and by watching whether itfails or succeeds.

Different embodiments have been described. Different alterations,modifications, and improvements will occur to those skilled in the art.In particular, the routing table signature mechanism may be associatedwith a mechanism of authentication of the exchanges between the SIM cardand the NFC router.

Finally, the practical implementation of the embodiments, be it byhardware or software means, is within the abilities of those skilled inthe art based on the functional indications given hereabove.

Having thus described at least one illustrative embodiment of theinvention, various alterations, modifications, and improvements willreadily occur to those skilled in the art. Such alterations,modifications, and improvements are intended to be within the spirit andscope of the invention. Accordingly, the foregoing description is by wayof example only and is not intended as limiting. The invention islimited only as defined in the following claims and the equivalentsthereto.

What is claimed is:
 1. A method, comprising: using one or more firstcommunication pipes within a near field communication (NFC) router of atelecommunication device to implement NFC transactions of one or moreauthorized applications executed by an applications processor of thetelecommunication device, the one or more first communication pipesbeing coupled between radio-frequency gates of the NFC router andphysical gates of the NFC router assigned to a security module of thetelecommunication device; using one or more second communication pipesto implement the NFC transactions of the one or more authorizedapplications executed by the applications processor, the one or moresecond communication pipes being coupled between physical gates of theNFC router assigned to the applications processor and physical gates ofthe NFC router assigned to the security module; detecting an attempt touse one of the one or more second communication pipes to implement anNFC transaction of an unauthorized application executed by theapplications processor, the detecting including the acts of: receiving,by the security module, a message in a near field communication formatvia one of the first communication pipes or one of the secondcommunication pipes; and responding to receipt of the message byverifying, with the security module, based on identification bitsassociated with an NFC router gate in the routing table, from which gateof the NFC router the message originates and that the gate from whichthe message originates is a valid originating gate of messages in an NFCformat; and responding to a failure of the verification by preventingimplementation of the NFC transaction of the unauthorized application.2. The method of claim 1, wherein an activity of peripherals connectedto the NFC router is monitored by a microcontroller of thetelecommunication device.
 3. The method of claim 1, wherein the securitymodule verifies existence of an administrative communication pipebetween one gate connecting the security module to the NFC router andanother gate connecting the NFC router to a microcontroller of thetelecommunication device.
 4. The method of claim 1, wherein the NFCrouter communicates data to the security module, the data related to thecommunication pipe over which the message in the NFC format wasreceived, the data communicated when the security module receives themessage in the NFC format.
 5. The method of claim 4, wherein the datarepresents a signature formed using identifiers of the communicationpipe over which the message in the NFC format was received, a firstgate, and a second gate.
 6. The method of claim 1, comprising: inresponse to the failure of the verification, presenting an alert to auser of the telecommunication device.
 7. The method of claim 1,comprising: in response to the failure of the verification, causing areset of the telecommunication device.
 8. The method of claim 1,comprising: in response to the failure of the verification, causing areset of the NFC router.
 9. The method of claim 1, comprising: inresponse to the failure of the verification, inhibiting communicationfrom the security module.
 10. The method of claim 2, comprising: withthe microcontroller, detecting information sent from the microcontrollerto the NFC router, wherein a data request to the security moduleprecedes the sending.
 11. The method of claim 5, comprising: calculatingthe signature using the NFC router.
 12. A method comprising: receiving,by a security module, a message in a near field communication (NFC)format, via one of one or more first communication pipes of an NFCrouter coupled between respective radio-frequency gates of the NFCrouter and respective gates of the NFC router assigned to the securitymodule; or via one of one or more second communication pipes of the NFCrouter coupled between respective gates of the NFC router assigned to anapplications processor and respective gates of the NFC router assignedto the security module; in response to receiving the message in the NFCformat, verifying whether a gate from which the message originatesrepresents a valid originating gate of the NFC router of messages in anNFC format based on identification bits associated with an NFC routergate in the routing table; and in response to a failure of theverification, preventing validation of a NFC transaction associated withthe message received in the NFC format.
 13. The method of claim 12,wherein the NFC router and the security module are part of atelecommunication device, and wherein verifying whether the gate fromwhich the message originates represents a valid originating gate of theNFC router of messages in an NFC format comprises: receiving, from theNFC router by the security module of the telecommunication device, dataidentifying the one or more first communication pipes.
 14. The method ofclaim 13, wherein the data identifying a communication pipe of the oneor more first communication pipes includes a signature calculated withan identifier of the communication pipe, an identifier of a first gateof the communication pipe, and an identifier of a second gate of thecommunication pipe.
 15. The method of claim 14, wherein the calculatedsignature is calculated by the NFC router.
 16. The method of claim 12,comprising: in response to a failure of the verification, presenting analert to a user.
 17. The method of claim 12, comprising: in response toa failure of the verification, inhibiting communication from thesecurity module, wherein the security module and the NFC router are partof a telecommunication device.
 18. A telecommunication device,comprising: a security module; and a near field communication (NFC)router having a processor, a plurality of gates, and logic through whichthe processor manages the plurality of gates, wherein, the NFC router,in operation: forms a plurality of communication pipes between gates ofthe plurality of gates; and responds to transmission, via one of theplurality of communication pipes to the security module, of a message ina NFC format requesting validation of an NFC transaction, bytransmitting information about an originating gate of the messagetransmitted via the one of the plurality of communication pipes to thesecurity module; and the security module, in operation: processes themessage requesting validation of the NFC transaction based on theinformation about the originating gate of the message, the processingthe message including verifying the originating gate is a validoriginating gate of messages in an NFC format based on identificationbits associated with an NFC router gate in the routing table.
 19. Theapparatus of claim 18, wherein the information about the originatinggate includes identification data identifying a communication pipelinking the originating gate and a second gate of the plurality ofgates.
 20. The apparatus of claim 19, wherein the identification dataincludes a signature calculated with an identifier of the communicationpipe, an identifier of the originating gate, and an identifier of thesecond gate.
 21. The apparatus of claim 20, wherein the router, inoperation, calculates the signature.
 22. The apparatus of claim 18,wherein the router, in operation, responds to a verification indicatingthat the gate from which the message originates represents an invalidoriginating gate by causing an alert to be presented to a user.
 23. Theapparatus of claim 18, wherein the router, in operation, responds to averification indicating that the gate from which the message originatesrepresents an invalid originating gate by causing communication from thesecurity module to be inhibited.
 24. A telecommunication device,comprising: a security module; and a router having a processor, aplurality of physical gates, and logic through which the processormanages the plurality of physical gates, wherein the router, inoperation, forms a plurality of communication pipes between respectivegates of the plurality of physical gates; and responds to transmission,via one of the plurality of communication pipes, of a message in a NFCformat requesting validation of an NFC transaction, by transmitting, tothe security module, information about an originating gate of themessage transmitted via the one of the plurality of communication pipes;and the security module, in operation: responds to receipt of themessage requesting validation of the NFC transaction by verifying theoriginating gate of the message is authorized to transmit messagesrequesting validation of NFC transactions, the verifying includingverifying the originating gate is authorized to transmit messages in anNFC format based on identification bits associated with an NFC routergate in the routing table.
 25. The telecommunication device of claim 24,wherein the security module is configured to verify the originating gateof the message is authorized to transmit messages requesting validationof NFC transactions based on data identifying a communication pipelinking a first gate of the router and a second gate of the routerincluded in the information about the originating gate.
 26. Thetelecommunication device of claim 25, wherein the data includes asignature calculated with an identifier of the communication pipe, anidentifier of the first gate, and an identifier of the second gate. 27.The telecommunication device of claim 26, wherein the router isconfigured to calculate the signature.
 28. The telecommunication deviceof claim 24, wherein the security module is configured to, in responseto a verification that the gate from which the message originatesrepresents an invalid originating gate, cause an alert to be presentedto a user.
 29. The telecommunication device of claim 24, wherein thesecurity module is configured to, in response to a verification that thegate from which the message originates represents an invalid originatinggate, cease communication.